The remote host does not discard TCP SYN packets that have the FIN flag set.

Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules.

The remote host is running a syslog server (most likely a Check Point NG syslog server) with a denial of service vulnerability. A remote, attacker could exploit this to crash this server. It is not known whether or not this vulnerability could result in arbitrary code execution.

Please note Nessus crashed the service while performing this check.

It is possible to bypass the rules of the remote firewall by sending UDP packets with a source port equal to 53.

An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.

Kerio Personal Firewall is vulnerable to a buffer overflow attack involving the administrator authentication process. An attacker may use this to crash Kerio or to execute arbitrary code on the system.

The remote Check Point FireWall is open to Web administration.

An attacker can use it to launch a brute-force password attack against the firewall, and eventually take control of it.

The remote service (probably the Tivoli Relay daemon) is vulnerable to a buffer overflow when it receives a long string.

An attacker may use this flaw to execute arbitrary code on this host (with the privilege of the user 'nobody').

The report host understands the L2TP tunneling protocol and appears to be a VPN endpoint, or more specifically, an L2TP Network Server.

Gopher is an old network protocol which predates HTTP and is nearly unused today. As a result, gopher-compatible software is generally less audited and more likely to contain security bugs than others.

By making gopher requests, an attacker may evade your firewall settings, by making connections to port 70, or may even exploit arcane flaws in this protocol to gain more privileges on this host.

The SOCKS4 service running on the remote host crashes when it receives a request with a long username.  An attacker may be able to leverage this issue to disable the remote service or even execute arbitrary code on the affected host.

The SOCKS4a service running on the remote host crashes when it receives a request with a long hostname.  An attacker may be able to leverage this issue to disable the remote service or even execute arbitrary code on the affected host.

It is possible to connect to firewall-protected ports on the remote host by setting the source port to 20. An attacker may use this flaw to access services that should not be accessible to outsiders on this host.

The remote host appears to be running either BlackICE or RealSecure Server Sensor.

This application has a remote buffer overflow vulnerability.  It was possible to crash the application by flooding it with 10 KB ping packets.

A remote attacker could exploit this to cause a denial of service, or potentially execute arbitrary code.

The remote squid caching proxy, according to its version number, is vulnerable to various buffer overflows.

An attacker may use these to gain a shell on this system.

A problem exists in the way the remote Squid proxy server handles a special 'mkdir-only' PUT request, and causes denial of service to the proxy server.

An attacker may use this flaw to prevent your LAN users from accessing the web.

Raptor FW 6.5 appears to be running in front of the remote web server.  By sending an invalid HTTP request to a web server behind the Raptor firewall, the HTTP proxy itself will respond.  The server banner of Raptor FW version 6.5 is always 'Simple, Secure Web Server 1.1'.  A remote attacker could use this information to mount further attacks.

The Check Point FireWall-1 Client Authentication web server is used to authenticate a user via HTTP. Once authenticated, the user can get more privileges on the network (ie: get access to hosts which were previously blocked by the firewall).

The Check Point FireWall-1 Client Authentication server is used to authenticate a user via telnet.  Once authenticated, the user can get more privileges on the network (ie, get access to hosts that were previously blocked by the firewall).

It was possible to make the remote service crash by sending it the command :

	connect AAA[...]AAAA://

It may be possible for an attacker to execute arbitrary code on this host thanks to this flaw.

The remote SMTP server seems to be protected by a content filtering firewall probably Cisco's PIX.

However, an attacker may bypass this content filtering by issuing a DATA command before a MAIL command, that allows him to directly communicate with the real SMTP daemon.

The port 2000 is open, and Novell BorderManager
*might* be listening on it.

There is a denial of service attack that allows an intruder to make a Novell BorderManager 3.5 slowly die.

If you see an error message on this computer telling you 'Short Term Memory Allocator is out of Memory' then you are vulnerable to this attack.

An attacker may use this flaw to prevent this service from doing its job and to prevent the user of this station to work on it.

*** If there is no error message whatsoever on this
*** computer, then this is likely a false positive.

The version of the DeleGate proxy server has a remote buffer overflow vulnerability.  This issue can be triggered by issuing the following command :

  whois://a b 1 AAAA..AAAAA

A remote attacker could exploit this issue to cause a denial of or execute arbitrary code.

There are reportedly hundreds of other remote buffer overflow vulnerabilities in this version of DeleGate, though Nessus has not checked for those issues

It is possible to make the remote Axent raptor freeze by sending it a IP packet containing special options (of length equals to 0)

An attacker may use this flaw to make the remote firewall crash continuously, thus preventing the network from working properly.

It was possible to crash either the remote host or the firewall in between us and the remote host by sending an UDP packet going to port 0.

This flaw may allow an attacker to shut down your network.

The remote host has the three TCP ports 256, 257, and 258 open. It's very likely that this host is a Check Point FireWall/1.
A remote attacker could use this information to mount further attacks.

The remote web proxy accepts unauthenticated HTTP requests from the Nessus scanner.  By routing requests through the affected proxy, a user may be able to gain some degree of anonymity while browsing websites, which will see requests as originating from the remote host itself rather than the user's host.

The proxy allows the users to perform POST requests such as

	POST http://cvs.nessus.org:21

without any Content-length tag.

This request may give an attacker the ability to have an interactive session.

This problem may allow attackers to go through your firewall, by connecting to sensitive ports like 23 (telnet) using your proxy, or it can allow internal users to bypass the firewall rules and connect to ports they should not be allowed to.

In addition to that, your proxy may be used to perform attacks against other networks.

The remote proxy, allows everyone to perform requests against arbitrary ports, such as :

'GET http://cvs.nessus.org:110'. 

This problem may allow attackers to go through your firewall, by connecting to sensitive ports like 25 (sendmail) using the proxy. In addition to that, it might be used to perform attacks against other networks.

The proxy allows users to perform CONNECT requests such as :

	CONNECT http://cvs.example.org:23 

This request gives the person who made it the ability to have an interactive session with a third-party site. 

This issue may allow attackers to bypass your firewall by connecting to sensitive ports such as 23 (telnet) via the proxy, or it may allow internal users to bypass the firewall rules and connect to ports or sites they should not be allowed to. 

In addition, your proxy may be used to perform attacks against other networks.

ID	Name	Severity
11618	TCP/IP SYN+FIN Packet Filtering Weakness	medium
11613	Check Point FireWall-1/VPN-1 Syslog Daemon Remote Overflow DoS	medium
11580	Firewall UDP Packet Source Port 53 Ruleset Bypass	high
11575	Kerio Personal Firewall Administrator Authentication Handshake Packet Remote Buffer Overflow	high
11518	Check Point FireWall-1 Open Web Administration	info
11434	IBM Tivoli Firewall Toolbox (TFST) Unspecified Remote Overflow	critical
11387	L2TP Network Server Detection	info
11305	HTTP Proxy Open gopher:// Request Relaying	info
11164	NEC SOCKS4 Module Username Handling Remote Overflow	critical
11126	AnalogX Proxy SOCKS4a DNS Hostname Handling Remote Overflow	critical
11052	BenHur Firewall Source Port 20 ACL Restriction Bypass	medium
10927	ISS BlackICE / RealSecure Large ICMP Ping Packet Overflow DoS	high
10923	Squid FTP URL Special Character Handling Remote Overflow	high
10768	Squid mkdir-only PUT Request Remote DoS	medium
10730	Raptor Firewall 6.5 HTTP Proxy Detection	medium
10676	Check Point FireWall-1 HTTP Client Authentication Detection	info
10675	Check Point FireWall-1 Telnet Client Authentication Detection	info
10596	tinyProxy Long Connect Request Overflow	medium
10520	Cisco PIX Firewall Mailguard Feature SMTP Content Filter Bypass	high
10163	Novell BorderManager Port 2000 Telnet DoS	medium
10054	DeleGate Multiple Function Remote Overflows	critical
10022	Axent Raptor Firewall Zero Length IP Remote DoS	high
10074	Check Point FireWall-1 UDP Port 0 DoS	high
10044	Check Point FireWall-1 Identification	medium
10195	HTTP Proxy Open Relay Detection	info
10194	HTTP Proxy POST Request Relaying	medium
10193	HTTP Proxy Arbitrary Site/Port Relaying	medium
10192	HTTP Proxy CONNECT Request Relaying	info

Detections

Analytics

Firewalls Family for Nessus

medium

medium

high

high

info

critical

info

info

critical

critical

medium

high

high

medium

medium

info

info

medium

high

medium

critical

high

high

medium

info

medium

medium

info